HackerOne: Session Management

ID H1:288
Type hackerone
Reporter javidhussain21
Modified 2014-04-19T20:59:20


Hackerone fails to expire the session cookie from the server side even when the user logs off upon clicking "Sign-Out" from the application. The cookie is cleared from the client side (browser), but is not cleared from the server side. If reused, it provides access to the user's account. Upon logging in again, a new session cookie is created, but the old session cookies still stay active on the server side. Therefore, any session cookie can be reused to gain access to the user's account.